]>
Commit | Line | Data |
---|---|---|
ab881f03 MTL |
1 | The following PCRs are extended by shim: |
2 | ||
3 | PCR4: | |
4 | - the Authenticode hash of the binary being loaded will be extended into | |
5 | PCR4 before SB verification. | |
f892ac66 MTL |
6 | - the hash of any binary for which Verify is called through the shim_lock |
7 | protocol | |
ab881f03 MTL |
8 | |
9 | PCR7: | |
10 | - Any certificate in one of our certificate databases that matches a binary | |
11 | we try to load will be extended into PCR7. That includes: | |
031e5cce SM |
12 | - DBX - the system denylist, logged as "dbx" |
13 | - MokListX - the Mok denylist, logged as "MokListX" | |
14 | - vendor_dbx - shim's built-in vendor denylist, logged as "dbx" | |
15 | - DB - the system allowlist, logged as "db" | |
16 | - vendor_db - shim's built-in vendor allowlist, logged as "db" | |
17 | - MokList the Mok allowlist, logged as "MokList" | |
18 | - vendor_cert - shim's built-in vendor allowlist, logged as "Shim" | |
19 | - shim_cert - shim's build-time generated allowlist, logged as "Shim" | |
ab881f03 MTL |
20 | - MokSBState will be extended into PCR7 if it is set, logged as |
21 | "MokSBState". | |
031e5cce | 22 | - SBAT will be extended into PCR7 if it is set, logged as "SBAT" |
ab881f03 | 23 | |
7bf7a6d0 MTL |
24 | PCR8: |
25 | - If you're using the grub2 TPM patchset we cary in Fedora, the kernel command | |
26 | line and all grub commands (including all of grub.cfg that gets run) are | |
27 | measured into PCR8. | |
031e5cce | 28 | |
7bf7a6d0 | 29 | PCR9: |
031e5cce | 30 | - If you're using the grub2 TPM patchset we carry in Fedora, the kernel, |
7bf7a6d0 MTL |
31 | initramfs, and any multiboot modules loaded are measured into PCR9. |
32 | ||
ab881f03 MTL |
33 | PCR14: |
34 | - MokList, MokListX, and MokSBState will be extended into PCR14 if they are | |
35 | set. |